Issue: Users get “Access Denied” on SharePoint 2010 claims based web application. The users are not explicitly added to the site but they are added via Active Directory Security Groups
Role claims are not working.
How to get Role Claims from Active Directory Store Using ADFS claim rule language.
Background:
Most of the mid sized organizations and Universities around the world use open source federated Identity –based authentication and authorization infrastructure know as Shibboleth. Shibboleth uses the SAML (Security Assertion Markup Language Protocol 1.1 or higher) to exchange security information to achieve WEB Single Sign On (WEB SSO).
Sharepoint 2010 has its own inbuilt security token service application which can validate Claims token and authorize users. The SharePoint token service acts as relying party in other words it’s just a service provider for the tokens.
Sharepoint 2010 cannot directly integrate with Shibboleth. Sharepoint STS cannot validate token generated from shibboleth. Therefore we need another layer in between this two which will generate or transform tokens to be compliant with SharePoint STS. This is where the Microsoft Active Directory Federation Services comes in (ADFS 2.0). Like Shibboleth ADFS is Microsoft product which provides rich SSO features and able to issue and validate SAML tokens.
After I successfully integrated SharePoint 2010 with ADFS and Shibboleth users were still not able to access the site. So where was the problem? I have enabled the ADFS logging and found that the tokens are coming from Shibboleth. why SharePoint STS is unable to Authorize?
After a little bit of debugging I found the solution.
The cause was I am not getting the Role claim ( Group membership of the user) from Shibboleth. I was just getting the Unique Name Identifier which was the login Id of the user. What if groups are added to the claims based SharePoint site. The users who are part of this group will fail to authorize to the site because the claim did not had the group membership in it. Look how I solved this
Configuration:
SharePoint STS : Relying Party or Service Provider
ADFS 2.0: Service Provider or Relying Party
Shibboleth: Identity Provider or Claims Provider
Identity Store: Active Directory
Claim being used: Windows Account Name
Role: Role Claim
Solution:
At the Claims Provider Trust I am getting UniqueName Identifier claim from Shibboleth and doing a claim transformation to WindowsAccountName
At the relying Party trust I am passing the Windows Account Claim as it is.
I created custom rule which is second in the list of rules for each relying Party trust.
The rule is below
I used the Send Claims using Custom Rule template
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”%5D
=> issue(store = “Active Directory”, types = (“http://schemas.microsoft.com/ws/2008/06/identity/claims/role”), query = “;tokenGroups;contoso\windowsaccountname”, param = c.Value);
In this rule I am taking the Input windows account name and Doing a query on Active Directory store to issue Role claims for contoso\windowsaccountname
Note: This requires a little bit knowledge on Understanding claim rules and claim rule language.
This solves my problem. First users get authenticated at shibboleth side and we get a valid SAML token for that user. We now use that token to get Role Claims at ADFS. Now I can add AD security groups to my Claims based site and authenticate the user using Role Claims